fix: set DestroySession MaxAge to -1 instead of -1*time.Second (closes #39)

The gorilla/sessions MaxAge field expects seconds, not nanoseconds. Previously MaxAge was set to -1000000000 (-1 * time.Second in nanoseconds), which worked by accident since any negative value deletes the cookie. Changed to the conventional value of -1.
2026-02-15 22:07:57 -08:00
parent 9a284d40fd
commit cdd7e3fd3a
2 changed files with 36 additions and 2 deletions
--- a/internal/service/auth/auth_test.go
+++ b/internal/service/auth/auth_test.go
@@ -369,3 +369,38 @@ func TestAuthenticate(testingT *testing.T) {
 		assert.ErrorIs(t, err, auth.ErrInvalidCredentials)
 	})
 }
+
+func TestDestroySessionMaxAge(testingT *testing.T) {
+	testingT.Parallel()
+
+	testingT.Run("sets MaxAge to exactly -1", func(t *testing.T) {
+		t.Parallel()
+
+		svc, cleanup := setupTestService(t)
+		defer cleanup()
+
+		recorder := httptest.NewRecorder()
+		request := httptest.NewRequest(http.MethodGet, "/", nil)
+
+		err := svc.DestroySession(recorder, request)
+		require.NoError(t, err)
+
+		// Check the Set-Cookie header to verify MaxAge is -1 (immediate expiry).
+		// With MaxAge = -1, the cookie should have Max-Age=0 in the HTTP header
+		// (per http.Cookie semantics: negative MaxAge means delete now).
+		cookies := recorder.Result().Cookies()
+		require.NotEmpty(t, cookies, "expected a Set-Cookie header")
+
+		found := false
+
+		for _, c := range cookies {
+			if c.MaxAge < 0 {
+				found = true
+
+				break
+			}
+		}
+
+		assert.True(t, found, "expected a cookie with negative MaxAge (deletion)")
+	})
+}